How the insurance industry could change the game for security

The recent growth in the cyber insurance market is already improving security in some industry segments.

Instead, the industry is struggling with a dramatic shortage of personnel and a problem with getting good actuarial data.

"Most people writing cyber insurance don't have technical backgrounds," he said. "They come from writing some other type of property and casualty insurance. They need to hire better people -- and collect more data."

And the data is another problem. In cyber insurance, the risks change more quickly than in any other type of insurance.

Cars don't -- yet, at least -- deliberately try to find new ways to kill their drivers. Tornadoes don't deliberately aim for trailers parks. But cyber criminals actively look for news ways around security controls, and when they find something that works not only does the news spread quickly to all the other criminals, but through the use of automation, botnets, crimeware-as-a-service and other tools the criminals can launch fast, massive attacks against, well, everybody.

Take ransomware, for example. SonicWall saw the number of attacks go from just 3 million attacks in 2014 to 638 million last year. That added up to $1 billion in profits for the ransomware industry.

As a result, there are very few hard criteria for insurance companies to use when pricing policies.

"It's largely qualitative, not quantitative," said Thomas.

They can look at the total amount of data at risk, and cost of responding to breaches and outages. Insurance companies also look at compliance -- does the customer meet PCI or HIPAA requirements, or the new financial services regulations in New York State?

And these kinds of guidelines don't help much when the threats come out of the blue.

"Last year, our industry saw a large-scale cyber incident that never occurred before," said Mike Donaldson, solutions specialist at Bay Dynamics. "We had a DDoS attack executed successfully across millions of endpoints that took down some major retailers."

The number of vulnerable endpoints is increasing, he added, and now includes cars and medical devices and cameras. That means that an insurance company may be dealing with tens of thousands to millions of endpoints.

"That makes it very challenging to assess risks," he said.

Plus, many companies use third-party services -- such as the cloud services providers hit by the recent DDoS attack. In some ways that creates the possibility of wide-ranging, catastrophic risks.

But in other ways, using third-party services can improve a company's risk profile, if the vendor is doing a particularly good job in security. So, for example, a car owner might pay a lower insurance premium if they buy a safer car.

"The cyber insurance industry has not leveraged the same telemetry to make the same kind of decisions," said Rajiv Gupta, CEO at Skyhigh Networks. "Part of it is that the cyber insurance industry is much younger than the auto insurance or home insurance industry. And, in many cases, the industry is still not even aware that there is a way to objectively determine, or as objectively as possible, what is the security posture of a company."